We help IT Professionals succeed at work.

Monitor the local administrator account activities on the windows servers

howruaz9
howruaz9 used Ask the Experts™
on
Auditor recommended our company to monitor the local administrator account activities on the windows servers.  I want to know where I can get relevant information (such as log or something) and how to get them with Perl.

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant
Commented:
as a quite broad scope of activities can be monitored, please better give the detailed requirements that you auditor recommended.

however, here is an overview of about this topic. this white paper is one of Best Practices for Enterprise Security of MSF.

Monitoring and Auditing for End Systems
http://technet.microsoft.com/en-us/library/cc750908.aspx

hope it helps,
bbao

Author

Commented:
Monitoring  all administrator activities include who (ID), where (server name, file name), when and the most important "what administrator did", for example: change configuration, install/upgrade software, manage account, backup, create/delete file............

Many thanks bbao
IT Consultant
Commented:
in the scope of Windows (OS level), you may configure Windows to audit OS level activities including logon events, account management, policy change, privilege use, system events and more.

Which Versions of Windows Support Advanced Audit Policy Configuration?
http://technet.microsoft.com/en-us/library/dd692792%28WS.10%29.aspx

Advanced Security Audit Policy Settings
http://technet.microsoft.com/en-us/library/dd772712%28WS.10%29.aspx

however, please be aware that the above mentioned is for the scope of OS level audit, which does not include applications audit, hardware changes, network changes and etc. these extra audits need to be enabled individually if it is possible and applicable. for example, server memory adjustment can be audited if the server's audit is enable (normally can't record who does that), SQL audit must be configured with SQL Enterprise Manager, not from Windows.

hope it helps,
bbao
TechnoChatWintel Administrator / Cloud Computing
Commented:
If you want to monitor each and every activity on windows server, then you can use ObserveIT. It has a free Express edition which support 5 Servers.

http://www.observeit-sys.com/products/features.asp

Thanks
Saugata

Author

Commented:
Thanks so much bbao and TechnoChat. I really appreciate your help.

Author

Commented:
Why is rating only 7.6. it should be 9.6 at least. but I didn't know how to change it.